​​OT-centric, open-source ETHOS platform launched for sharing anonymous early warning threat information

OT cybersecurity companies unveiled Monday plans for ETHOS (Emerging THreat Open Sharing), an open-source, vendor-agnostic technology platform for sharing anonymous early warning threat information across industries with peers and governments. The OT-centric, open-source platform is a cooperative development in the OT (operational technology) security industry, with the goal of sharing data to investigate early threat indicators and discover new and novel attacks.

Founding ETHOS community members include 1898 & Co., ABS Group, Claroty, Dragos, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable, and Waterfall Security. General membership applications will be available in June this year. The platform is run by an independent mutual benefit corporation with an open-source GitHub community, with no central authority that retains ownership of its intellectual property. Governance is structured by community members and licensed users.

The inaugural Board of Directors comprises of Robin Berthier of Network Perception, Brian Dunphy of Claroty, Andrew Ginter of Waterfall Security, Keon McEwen of ABS Group, Thomas Pace of NetRise, Edward Turkaly of Schneider Electric, Andrea Carcano of Nozomi Networks, Marty Edwards of Tenable, Kimberly Graham of Dragos, Matthew Morris of 1898 & Co., and Daniel dos Santos of Forescout. These directors will serve two-year terms, and elections will take place again in March 2025.

A nonprofit entity run by an independent mutual benefit corporation, the ETHOS platform is designed to work within OT/ICS environments. However, the open API could be utilized by any cybersecurity vendor/solution observing potential security events. “Our intention for this community is to share vital OT information to enable real-time security awareness across various critical infrastructure sectors and locations,” according to a post.

Its objectives include building an open-source codebase and platform for ETHOS’ OT/ICS devices and networks for data sharing and collaboration, making innovative and egalitarian design and governance decisions, and produce code that allows for early warning detections for cybersecurity teams and stakeholders, to benefit the cybersecurity community without seeking a profit.

As a GitHub community project, the platform correlates security events across any number of end users regardless of the security solutions they use, requiring integration with security vendor technologies to send and receive correlated notifications. Additionally, any individual, organization or security vendor may contribute to ETHOS, its direction and future developments.

The platform enables any entity or security vendor to contribute to the project as a client and/or host their own server to compare shared information. As it is not a shared proprietary threat intelligence feed with signatures, detections and alerts from competitive monitoring tools and solutions, ETHOS is not a replacement for STIX/TAXII, and is complementary to STIX/TAXII information sharing, the existing DHS Cyber Information Sharing and Collaboration Program (CISCP) and Department of Energy (DoE) technologies including Essence and Cyber Risk Information Sharing Program (CRISP).

An initial beta project will stand up one server with initial ETHOS community members, however, the open-source platform will allow any organization to create their own ETHOS server to invite and integrate with clients and vendors to share and corroborate information at any level.

While the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is not involved in the development of the ETHOS platform, it has received a technical briefing on the fundamental objectives of ETHOS. The agency is also said to have ‘expressed excitement for the industry to be collaborating for the betterment of critical infrastructure cybersecurity. They will be in communication as the project proceeds.’

“Critical infrastructure defenders have felt like they are on an island,” Morris, managing director for security and risk consulting at 1898 & Co., said in a media statement. “To remain highly vigilant against potential attacks and adversaries, ETHOS provides collective defense through vendor-agnostic information-sharing from both public and private sources that enables improved metrics like time-to-detection and time-to-respond.”  

“ETHOS is answering the call to protect the nation’s critical infrastructure by tearing down barriers and closing the gap on how we can rapidly respond to new and emerging threats impacting the safety and security of industrial operations,” Moody, president and CEO at ABS Group, said. “ETHOS fills an important and necessary function to create collaboration between technology providers, OEMs and service providers, and leads to solutions that meet the increasing challenge of industrial cyber risk.” 

Dunphy, Claroty’s vice president for product management said that defending critical infrastructure against rapidly evolving threat actors requires a collective defense, such that an attack against one results in better protection for all. “ETHOS’s real-time sharing of actionable threat intelligence across vendors and enterprises is key to reducing blind spots and illuminating threat actors before they can disrupt the very systems that we all depend on every day.” 

He also added that with Claroty’s expertise in threat detection for OT/ICS environments and its commitment to sharing threat research with the wider community – its Team82 researchers have found and disclosed over 400 vulnerabilities to date – ‘we look forward to fostering the ETHOS community and working together to make the world’s most critical systems more secure and resilient.’

“Dragos has worked to build up the collective defense of the industrial community since our founding, and we are eager to also contribute to this cross-vendor initiative,” according to Graham, senior director of product management at Dragos. “We see the potential for ETHOS to become a valuable source of novel threat information that can be easily incorporated into a broader threat intelligence program.”

“You cannot act on what you don’t see or know, but we’re fundamentally changing that through the creation of this vendor-agnostic platform and outstanding group of industry firms,” dos Santos, head of security research at Forescout, said. “Critical infrastructure is on the road to achieving a stronger security posture because of these efforts to streamline information sharing, and we’re proud to play a part in it.”

Pace, CEO at NetRise said that information sharing is at the foundation of what will make the OT/ICS ecosystem successful when it comes to preventing and detecting existing cyber-attacks. “With ETHOS, this cohort of vendors is bringing a new industry collaboration that promises to accelerate progress in this area, which will ultimately lead to a more secure national security cyber posture across the board.”

“OT cybersecurity is critical to the wellness, safety, and day-to-day life of citizens everywhere,” Berthier, co-founder and CEO at Network Perception, said. “Aligning with other ETHOS members for greater transparency and communication in the face of disaster is an easy decision for us and an important initiative for everyone.”

“The strongest defense is a collective one, including a vendor-agnostic mechanism for real-time sharing of early warning data,” according to Carcano, co-founder and chief product officer at Nozomi Networks. “The ETHOS platform will offer the most inclusive, creative, and proactive way to share OT threat information. Nozomi Networks is proud to have helped establish the ETHOS community.”

“With endless open sharing and active members’ contribution, ETHOS will provide a significant support for society to combat cybersecurity threats,” according to Turkaly, Schneider Electric’s director of cybersecurity offer management.

“A big challenge for the OT industry is differentiating which threats pose an actual risk to an organization and where they are exposed to such risk,”  Edwards, deputy chief technology officer for OT and IoT at Tenable, said. “ETHOS is a vendor agnostic initiative that aspires to cut through the noise by automating the discovery and dissemination of real-world threat information from its industry members. The goal will be to provide the entire community with more insights into threats targeting new and known vulnerabilities in OT systems. By working together, the OT security community is stronger and more cyber resilient.”

“Cyber attacks causing shutdowns or malfunctions of OT / industrial control systems have more than doubled annually for the last four years. The time is ripe for the ETHOS project,” Ginter, vice president for industrial security at Waterfall Security, said. “The world needs OT threat intelligence so that we can look forward to see what’s coming at us, not just backwards to see how many times we’ve gone down.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.